Published by Cybersecurity Practice
May 23, 2023
In his recent spring budget statement, Chancellor Jeremy Hunt announced a £2.5 billion ‘national quantum computing programme’,¹ as part of a new National Quantum Strategy, with the vision for “the UK to be a leading quantum-enabled economy by 2033”.² While quantum computing may not be grabbing as many headlines as AI, this level of investment is a clear sign that the UK government views it as an equally important prospect for the future.
Similar to AI, the ultimate form of this quantum prospect remains relatively uncertain, and its potential applications are broad and sometimes difficult to predict. Tech giants across the world are already hard at work on quantum networking and communications, while there are great hopes for the fields of pharmaceutical research and development, and even climate change. One of the most commonly posited effects, however, is less positive: the breaking of traditional encryption methods.
The theory, put simply, is that while current encryption methods have been designed to be prohibitively difficult for traditional computers to break, the capabilities of a sufficiently powerful quantum computer will render this task trivial. If and when this occurs – and most seem to agree that this will happen at some point – the entire world will be faced with one of the main components of secure data transmission and storage being rendered useless.
Exactly how long this will take is unknown. Predictions range from the optimistic (or pessimistic, depending on your viewpoint) eight years, to more than two decades from now.³ There are already concerted efforts to put together so-called ‘quantum-safe’ encryption methods ahead of time, but there is a threat posed by this future event that already exists, and could impact organisations now, in the present day.
This threat is the concept of ‘steal now, decrypt later’ – that is, if a hostile actor knows that in the near future traditional encryption may be broken, then they could steal data now while it still uses that traditional encryption, and simply sit on it until quantum computing catches up.⁴ Naturally, this kind of attack is of limited use for data that won’t retain its value over the course of a decade or longer, but for data with a longer shelf life it poses a real concern.
Of course, the ideal solution to this issue would be to secure everything with a quantum-safe encryption method as soon as possible. However, such encryption remains a moving target; last summer, the USA’s National Institute of Standards and Technology announced four candidates for cryptographic algorithms deemed “quantum resistant”⁵, only for one of the four to be broken a month later using a ‘classical’ (i.e., not quantum) laptop.⁶ In any case, even these proposed methods are still undergoing stringent testing and appraisal, and are not yet ready for widescale applications.
A more straightforward solution does exist: keep doing everything you can to stop bad actors from being in a position to steal encrypted data in the first place. Even before the looming threat of quantum, encryption should never have been considered the be-all and end-all of data security. Following security best practices within your organisation can drastically reduce the chances of attackers having access to files – encrypted or not – for them to extract. We’ve spoken before about maintaining healthy password habits and fostering a zero-trust environment in your organisation, both of which will have a substantial impact on your overall cybersecurity.
Looking more broadly, an excellent first step on that journey is to work towards Cyber Essentials certification, and the more comprehensive Cyber Essentials Plus. These are government-backed schemes aimed at preparing organisations for cyberattacks and improving their security posture. These schemes will task you with taking a critical eye to your organisation’s current security and IT practices, and provide rock-solid guidelines based around five key technical themes: firewalls, secure configuration, user access control, malware protection, and security update management. ITGL has extensive experience working with organisations in the public and private sectors to help them achieve these certifications. If you’re uncertain on the best place to start, we’d love to talk through your current situation, and the areas in which you can most effectively make improvements – just get in touch at firstname.lastname@example.org.